Overview

overview

10

Static

static

10

download.exe

windows7_x64

10

download.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.exe

  • Size

    775KB

  • MD5

    b945f5042cd642bd3057177de0604a56

  • SHA1

    d680d790167a7f84f7e531b2d16db0a0e3359f73

  • SHA256

    98388773dc5da7f73a32a08613404029c7cd23078d697700aec6b573b2fa8e09

  • SHA512

    b8b0def1662f4bea4134049d883a53707a2dd94b193d213c1e2ca73742e1d03fb699eaed2137e71ed1985cf01ea268474bee4efa0f903697c63d106cf982fb45

Score
10/10
evasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\9f6KKOh_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BDEDdeaBAC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk1OS1JZkNydHQwS05Nb3liclZiKzd0YmcyYjI4M0U1YWFTQVdzQnB3WTNmRGdLcmpWMUkwRm0xUnVDMDFrSkZXclBaNDdMN2hkaE5wVWFZTkNlSjZFMnErWFU5M2wyRm5jdDVEenNZWHdJcGhkV2hxL1ROOVZ6b2w0UjI4UTJvU0k5WGRtMDdnYkY0WXIxeXRaa3VuNU5Semc3ZzBZUE9TUXFpZ3NFb3NjZ1pKRytKdEcwVFlMTUcwZE1kM3puRU1LTkFCZnFqTWNNcFJoTmpHVnVhNUwwc3Q2Mnl4RVdQcWxydVR2WHp3WmtuWCtkNjl2S3Y2Mk1nZVUyRDJjM01BRnBOT3ZyOHprNCtrU3M4c3dyUWRnUFMwS1l6aTdrU09yVlA3VlNMY0xCNFd1aXZBTVJuaHk2RTRiR29oSVRSTENxU0RpNGNIdlBCbnFCYVR4TjFCZTVJMSttdlBUV3VZTVk3ZjIzKy83M2lyd21QVEJ5MFdnZ1ZVRDhPMGlMaG93SVN1ZFg3ekJQcTIrWUE2RjBnNk9odkd6eSt2WHBFbnhPZ0pqWU1aQUxyZy84OWVDV0tCWDRKVlhwZmdUVStvUjJaajNEanZBRlgwdmcxYlozL0pTL0FnU0YrUW4veGpPNS9FVzhOMm9kamtjdGw4Q1o5SDdIcXJCZ00zVHJhZ0cwOEFvNVlFTjJRUDJyVEc5QlpaRjh1SHpLTHdHQXRQdERFblVjK1J0cE84R24vVHdEeFplVTZicU9mV3BiL2ROUE8xUjZTRkNidjhYUmNKQzZmVmxNemlXVEM3T01GOUFsMkI5dVJGOFpqUXBjeU1mOTB4L0txMFJlaEc4UHRqdGpya1FVN0tZVDZwa1JuNFc4YThnTHc4U3NFa0pzRFlVRzJDd252U05jbG9nbWpWQU8wSzhHOXVUcFdvVTdDVVpsSWpnM0V4ZlJkZk9OTWdxUExjRWlGckgxaEEybDhJdTRsOU0vc0R1aXY3Q3lVUlpvVm5JYmhuc0FXQTlIcVI4Mm0zcnNoOHVrZ0RmMzVSNU0wTER2SEJuVWNkajVkeGh6NzdnK2ExLytVNTNyV1VJNUw1cm02Z1JQN1A5NjRGY21wVlpVY1VNQVovVXVkNE1UK0RNTnZWZTVJSDVsY3I1Y2crMlpON0s2YnlQMG1oQXA0ZWxrWXJSRFNiK0RPS2xaUmxLR1BpY1hYS1NoblRjUjNzOUcrdWFYaVB3Skc0YlF3ZDdFSENRK0pTMk9yN1BOUGM2Z2ltTnVtYkhDUnVqRE95b1h6RTlQZE5aVmtseUF4SjlxNDFOajFJeloySzdib0JwUGVDL2oxZHZoWUhIamZndW10VEVwaDJVd0h4dnZ0WE9kNHZZNjlONnArcVJmaUFtaFV2U1MzakpxZVJMOHJLVzlxSDlDdnlVRk9hVGFMWVh3bmYxRFN2Zk1sbFB5RW9Pck1xaUlpUWlNWktnYlBJMS8xMVlpVmU0a2dZNVZrTWZmOCt5bmI2cnY1RDFUQ1hkVWJiK0I5UFJIbjljN0k0cjF3UlZ5cU9iWGYyRndEUk4wbUxkV2xteGQyUkZHaWZJUmtnd3JkMVkrUG0rWlczaWhsYTYveHYzZnMrV3dWQjd1TXNHNWM1QzRvU2ZxWWlMMW4yeWdkSmNXWFYyT1oraWNFVXFNQkxYYXV1NWNwTUQxNWR3aWQvb21iNjBBWENrWTRpZzcvb0MwTGRzdHFHeGVibU9IT2JocGxoeWNGa1k0OFBWWFJYR014dUovcVZmKzdNL05XWVNCZ1hISlNyeDA0T2dXN1VweDA4NG80dVRvNndyRVAzcW84V3VyVndsS3dVL3JyYjhPcDM2eWVxbDNTaHFsMnpyMUJKbzRRVmRCUnFvL25DRnhSTjIwZUc1b3J0RFJyand1djFINFc3N0ZncGVqNXJQYWp0VHpiMUtIS1pkSUlhd2h1K2lqUFplemVuQmU2a2FlTGhzckR4NmNBeEZOY2VER3JXOFpsQmNoQVVnajFuNCtUaWJrd2JmVU83NWhwa2ttRHFhUXNrVEd2M0lkQWtLZFp1Mk5QOVR0Y0lTa1VxUjQ2WVc3VVI3WmtlLzdzajljPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * LPIXTnGqs4wrxYgtkTurxczTeq
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\9f6KKOh_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BDEDdeaBAC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk1OS1JZkNydHQwS05Nb3liclZiKzd0YmcyYjI4M0U1YWFTQVdzQnB3WTNmRGdLcmpWMUkwRm0xUnVDMDFrSkZXclBaNDdMN2hkaE5wVWFZTkNlSjZFMnErWFU5M2wyRm5jdDVEenNZWHdJcGhkV2hxL1ROOVZ6b2w0UjI4UTJvU0k5WGRtMDdnYkY0WXIxeXRaa3VuNU5Semc3ZzBZUE9TUXFpZ3NFb3NjZ1pKRytKdEcwVFlMTUcwZE1kM3puRU1LTkFCZnFqTWNNcFJoTmpHVnVhNUwwc3Q2Mnl4RVdQcWxydVR2WHp3WmtuWCtkNjl2S3Y2Mk1nZVUyRDJjM01BRnBOT3ZyOHprNCtrU3M4c3dyUWRnUFMwS1l6aTdrU09yVlA3VlNMY0xCNFd1aXZBTVJuaHk2RTRiR29oSVRSTENxU0RpNGNIdlBCbnFCYVR4TjFCZTVJMSttdlBUV3VZTVk3ZjIzKy83M2lyd21QVEJ5MFdnZ1ZVRDhPMGlMaG93SVN1ZFg3ekJQcTIrWUE2RjBnNk9odkd6eSt2WHBFbnhPZ0pqWU1aQUxyZy84OWVDV0tCWDRKVlhwZmdUVStvUjJaajNEanZBRlgwdmcxYlozL0pTL0FnU0YrUW4veGpPNS9FVzhOMm9kamtjdGw4Q1o5SDdIcXJCZ00zVHJhZ0cwOEFvNVlFTjJRUDJyVEc5QlpaRjh1SHpLTHdHQXRQdERFblVjK1J0cE84R24vVHdEeFplVTZicU9mV3BiL2ROUE8xUjZTRkNidjhYUmNKQzZmVmxNemlXVEM3T01GOUFsMkI5dVJGOFpqUXBjeU1mOTB4L0txMFJlaEc4UHRqdGpya1FVN0tZVDZwa1JuNFc4YThnTHc4U3NFa0pzRFlVRzJDd252U05jbG9nbWpWQU8wSzhHOXVUcFdvVTdDVVpsSWpnM0V4ZlJkZk9OTWdxUExjRWlGckgxaEEybDhJdTRsOU0vc0R1aXY3Q3lVUlpvVm5JYmhuc0FXQTlIcVI4Mm0zcnNoOHVrZ0RmMzVSNU0wTER2SEJuVWNkajVkeGh6NzdnK2ExLytVNTNyV1VJNUw1cm02Z1JQN1A5NjRGY21wVlpVY1VNQVovVXVkNE1UK0RNTnZWZTVJSDVsY3I1Y2crMlpON0s2YnlQMG1oQXA0ZWxrWXJSRFNiK0RPS2xaUmxLR1BpY1hYS1NoblRjUjNzOUcrdWFYaVB3Skc0YlF3ZDdFSENRK0pTMk9yN1BOUGM2Z2ltTnVtYkhDUnVqRE95b1h6RTlQZE5aVmtseUF4SjlxNDFOajFJeloySzdib0JwUGVDL2oxZHZoWUhIamZndW10VEVwaDJVd0h4dnZ0WE9kNHZZNjlONnArcVJmaUFtaFV2U1MzakpxZVJMOHJLVzlxSDlDdnlVRk9hVGFMWVh3bmYxRFN2Zk1sbFB5RW9Pck1xaUlpUWlNWktnYlBJMS8xMVlpVmU0a2dZNVZrTWZmOCt5bmI2cnY1RDFUQ1hkVWJiK0I5UFJIbjljN0k0cjF3UlZ5cU9iWGYyRndEUk4wbUxkV2xteGQyUkZHaWZJUmtnd3JkMVkrUG0rWlczaWhsYTYveHYzZnMrV3dWQjd1TXNHNWM1QzRvU2ZxWWlMMW4yeWdkSmNXWFYyT1oraWNFVXFNQkxYYXV1NWNwTUQxNWR3aWQvb21iNjBBWENrWTRpZzcvb0MwTGRzdHFHeGVibU9IT2JocGxoeWNGa1k0OFBWWFJYR014dUovcVZmKzdNL05XWVNCZ1hISlNyeDA0T2dXN1VweDA4NG80dVRvNndyRVAzcW84V3VyVndsS3dVL3JyYjhPcDM2eWVxbDNTaHFsMnpyMUJKbzRRVmRCUnFvL25DRnhSTjIwZUc1b3J0RFJyand1djFINFc3N0ZncGVqNXJQYWp0VHpiMUtIS1pkSUlhd2h1K2lqUFplemVuQmU2a2FlTGhzckR4NmNBeEZOY2VER3JXOFpsQmNoQVVnajFuNCtUaWJrd2JmVU83NWhwa2ttRHFhUXNrVEd2M0lkQWtLZFp1Mk5QOVR0Y0lTa1VxUjQ2WVc3VVI3WmtlLzdzajljPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * iYQuo03AigfwpUovvzoz7H7U11Xpa
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\9f6KKOh_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BDEDdeaBAC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk1OS1JZkNydHQwS05Nb3liclZiKzd0YmcyYjI4M0U1YWFTQVdzQnB3WTNmRGdLcmpWMUkwRm0xUnVDMDFrSkZXclBaNDdMN2hkaE5wVWFZTkNlSjZFMnErWFU5M2wyRm5jdDVEenNZWHdJcGhkV2hxL1ROOVZ6b2w0UjI4UTJvU0k5WGRtMDdnYkY0WXIxeXRaa3VuNU5Semc3ZzBZUE9TUXFpZ3NFb3NjZ1pKRytKdEcwVFlMTUcwZE1kM3puRU1LTkFCZnFqTWNNcFJoTmpHVnVhNUwwc3Q2Mnl4RVdQcWxydVR2WHp3WmtuWCtkNjl2S3Y2Mk1nZVUyRDJjM01BRnBOT3ZyOHprNCtrU3M4c3dyUWRnUFMwS1l6aTdrU09yVlA3VlNMY0xCNFd1aXZBTVJuaHk2RTRiR29oSVRSTENxU0RpNGNIdlBCbnFCYVR4TjFCZTVJMSttdlBUV3VZTVk3ZjIzKy83M2lyd21QVEJ5MFdnZ1ZVRDhPMGlMaG93SVN1ZFg3ekJQcTIrWUE2RjBnNk9odkd6eSt2WHBFbnhPZ0pqWU1aQUxyZy84OWVDV0tCWDRKVlhwZmdUVStvUjJaajNEanZBRlgwdmcxYlozL0pTL0FnU0YrUW4veGpPNS9FVzhOMm9kamtjdGw4Q1o5SDdIcXJCZ00zVHJhZ0cwOEFvNVlFTjJRUDJyVEc5QlpaRjh1SHpLTHdHQXRQdERFblVjK1J0cE84R24vVHdEeFplVTZicU9mV3BiL2ROUE8xUjZTRkNidjhYUmNKQzZmVmxNemlXVEM3T01GOUFsMkI5dVJGOFpqUXBjeU1mOTB4L0txMFJlaEc4UHRqdGpya1FVN0tZVDZwa1JuNFc4YThnTHc4U3NFa0pzRFlVRzJDd252U05jbG9nbWpWQU8wSzhHOXVUcFdvVTdDVVpsSWpnM0V4ZlJkZk9OTWdxUExjRWlGckgxaEEybDhJdTRsOU0vc0R1aXY3Q3lVUlpvVm5JYmhuc0FXQTlIcVI4Mm0zcnNoOHVrZ0RmMzVSNU0wTER2SEJuVWNkajVkeGh6NzdnK2ExLytVNTNyV1VJNUw1cm02Z1JQN1A5NjRGY21wVlpVY1VNQVovVXVkNE1UK0RNTnZWZTVJSDVsY3I1Y2crMlpON0s2YnlQMG1oQXA0ZWxrWXJSRFNiK0RPS2xaUmxLR1BpY1hYS1NoblRjUjNzOUcrdWFYaVB3Skc0YlF3ZDdFSENRK0pTMk9yN1BOUGM2Z2ltTnVtYkhDUnVqRE95b1h6RTlQZE5aVmtseUF4SjlxNDFOajFJeloySzdib0JwUGVDL2oxZHZoWUhIamZndW10VEVwaDJVd0h4dnZ0WE9kNHZZNjlONnArcVJmaUFtaFV2U1MzakpxZVJMOHJLVzlxSDlDdnlVRk9hVGFMWVh3bmYxRFN2Zk1sbFB5RW9Pck1xaUlpUWlNWktnYlBJMS8xMVlpVmU0a2dZNVZrTWZmOCt5bmI2cnY1RDFUQ1hkVWJiK0I5UFJIbjljN0k0cjF3UlZ5cU9iWGYyRndEUk4wbUxkV2xteGQyUkZHaWZJUmtnd3JkMVkrUG0rWlczaWhsYTYveHYzZnMrV3dWQjd1TXNHNWM1QzRvU2ZxWWlMMW4yeWdkSmNXWFYyT1oraWNFVXFNQkxYYXV1NWNwTUQxNWR3aWQvb21iNjBBWENrWTRpZzcvb0MwTGRzdHFHeGVibU9IT2JocGxoeWNGa1k0OFBWWFJYR014dUovcVZmKzdNL05XWVNCZ1hISlNyeDA0T2dXN1VweDA4NG80dVRvNndyRVAzcW84V3VyVndsS3dVL3JyYjhPcDM2eWVxbDNTaHFsMnpyMUJKbzRRVmRCUnFvL25DRnhSTjIwZUc1b3J0RFJyand1djFINFc3N0ZncGVqNXJQYWp0VHpiMUtIS1pkSUlhd2h1K2lqUFplemVuQmU2a2FlTGhzckR4NmNBeEZOY2VER3JXOFpsQmNoQVVnajFuNCtUaWJrd2JmVU83NWhwa2ttRHFhUXNrVEd2M0lkQWtLZFp1Mk5QOVR0Y0lTa1VxUjQ2WVc3VVI3WmtlLzdzajljPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 4
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\download.exe"
    1⤵
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3768
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4224
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:4276
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:4348
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:4400
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:4480
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3568
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:3484

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        2
        T1112

        File Deletion

        2
        T1107

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3496-114-0x0000000000000000-mapping.dmp
          Download
        • memory/4224-115-0x0000000000000000-mapping.dmp
          Download
        • memory/4276-116-0x0000000000000000-mapping.dmp
          Download
        • memory/4348-117-0x0000000000000000-mapping.dmp
          Download
        • memory/4400-118-0x0000000000000000-mapping.dmp
          Download
        • memory/4480-119-0x0000000000000000-mapping.dmp
          Download